Each tool should be able to add its own content at the top of the app_admin_permissions.html
template
The ForgeTracker tool should say something like this:
If a ticket is marked as private, only Developers (and Admins too, of course) will have permission to access and change it. Everyone else will be denied all permission, including read access. Users that are developers will have permission to do only what the Developer permission grants them (and grants inherited via *authenticated and *anonymous, e.g. 'read'); they won't have their normal permissions that they have with regular tickets.
Perhaps also mention how the special permissions take effect when the ticket is made private, so changing what permissions Developers have later won't change the ticket's permissions. Adding or removing people from the Developers role will still work though.
Some global content for all per-tool permission pages would be good to link to the project-level permissions where groups are set up.